Privacy Notice

The purpose of this notice is to inform you of the type of information (including personal information) that the Integrated Care Board (ICB) holds; how that information is used; who we may share that information with; and how we keep it secure and confidential.

This privacy statement only covers NHS Suffolk and North East Essex Integrated Care Board and does not cover any other organisations or organisations that can be linked to from this site.

You can also read a shorter version of this notice, which may also be helpful for children and young adults. We also have information about how we handle the personal data of people who interact with the MNISA service, via the Maternity and Neonatal Independent Senior Advocacy Service Privacy Notice.

Who we are and what we do

NHS Suffolk and North East Essex Integrated Care Board

Severalls Business Park
Aspen House
Stephenson Road

Information Commissioners Office (ICO) registration number: ZB340189

Data Protection Officer – Paul Cook (IG) – email:

NHS Suffolk and North East Essex Integrated Care Board are responsible for implementing the commissioning roles as set out in the Health and Care Act 2022.

The ICB processes several different types of information:

  • Identifiable – containing details that identify individuals. The following are data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth
  • Pseudonymised information – individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity
  • Anonymised – about individuals but with all identifying details removed
  • Aggregated – statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.

We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use Pseudonymised / anonymised data for this purpose which will mean you would not be able to be identified from that information.

Examples of this include:

  • Evaluation and review of services such as checking their quality and efficiency
  • Checking NHS accounts and services
  • Working out what illnesses people will have in the future so that we can work with the local primary care services, community services and hospital services to make sure that patient needs are met
  • Preparing performance reports about the services we commission
  • Reviewing the care we commission to make sure it is of the highest standard

We will only use information that may identify you (known also as personal confidential data) in accordance with the: Data Protection Act 2018 – The Data Protection Act requires us to have a legal basis if we wish to process any personal information.

Therefore, as a commissioning organisation we do not routinely hold medical records or patient confidential data. There are some specific areas, however, because of our assigned responsibilities where we do hold and use personal information. In order to process that information, we will have met a legal requirement, in general this is where we have complied with one of the following:

  • The information is necessary for facilitating direct healthcare for patients
  • We have received consent from individuals to be able to use their information for a specific purpose
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order)
  • We have special permission for health purposes (granted by the Health Research Authority Section 251)
  • For the health and safety of others, for example to report an infectious disease such as COVID-19, meningitis or measles

Circumstances where we might need to use personal information

The areas where we use personal information are:

  • Individual Funding Requests (IFR) – a process where patients and their GPs can request special treatments not routinely funded by the NHS
  • Continuing Healthcare Assessments (a package of care for those with complex medical needs)
  • The Medicines Management team work closely with the GP practices to support effective prescribing
  • Social Prescribing Team
  • Responding to your queries, concerns or complaints
  • Incident investigations
  • Assessment and evaluation of safeguarding concerns for individuals
  • If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations
  • To assess the needs of the general population
  • To process job applications
  • Risk stratification
  • Financial validation

In order to start operating as an Integrated Care System (ICS), SNEE ICB needs to be able to share the commissioning data with partners of their Integrated Care System. The ICB has agreed with NHS Digital that it can share commissioning data under a sub-license approach.

Each ICS partner organisation that requires a commissioning dataset, will be required to complete and sign-up to a sub-licensing agreement with terms and conditions.

The legal basis for sharing the data with ICS partners is as follows:

UKGDPR Article 6 (1) (e) and Article 9 (2) (h)

Onward sharing of the data by ICS partners (including sharing with data processors) is not permitted. Data must be segregated from other datasets and additional linkage is not permitted.

Current ICB sub-licencing agreements are in place with:

  • East Suffolk and North Essex NHS Foundation Trust
  • Essex Partnership University NHS Foundation Trust
  • Norfolk and Suffolk NHS Foundation Trust
  • West Suffolk NHS Foundation Trust
  • Essex County Council
  • Suffolk County Council

As further agreements with ICS partners are agreed, they will be added to this list.

The SNEE ICB IG Team will hold the signed ICB sub licensee agreements.

Population Health Management (PHM) – is helping Suffolk and North East Essex Integrated Care System (ICS) understand our current, and predict our future, health and care needs so we can take action in tailoring better care and support with individuals, design more joined up and sustainable health and care services, and make better use of public resources.

We use historical and current patient level data to understand what factors are driving poor outcomes in different population groups, we then design new proactive models of care which will improve health and wellbeing. This could be by stopping people becoming unwell in the first place, or, where this isn’t possible, improving the way the system works together to support them.

This only uses pseudonymised data i.e. where information that identifies you has been removed and replaced with a pseudonym. This will only ever be re-identified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice or health/care provider will be able to see your personal information in order to offer this service to you.

In order to carry out this data linkage, your pseudonymised data will be passed to NHS North of England Commissioning Support Unit (NECS), part of NHS England, who will link this to other local and national data sources to be able to carry out appropriate analyses. These linked datasets will also be shared securely with Optum Health Solutions, who act as Data Processor for the ICB to carry out any further analysis needed to support improvements to the local populations health and to target health and social care resources effectively.

PHM is a partnership approach across the NHS and other public services, the outputs of the PHM programme will be shared across these organisations. All have a role to play in in addressing the interdependent issues that affect people’s health and wellbeing.

Learn more about PHM in Suffolk and north east Essex.

Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.

The Integrated Care Board also uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS England from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score.

There is currently section 251 support (23/CAG/0127) in place for the Integrated Care Board to be able to receive data with the NHS Number as an identifier from both NHS England and your GP Practice to enable this work to take place.  The Data is sent directly into a risk stratification tool from NHS England and GP Practices to enable the data to be linked and processed as described above.  Once the data is within the tool, Integrated Care Board staff only have access to anonymised or aggregated data.

GPs can identify individual patients from the risk stratified data when it is necessary discuss the outcome and consider preventative care.

Risk stratification brings together health related data for identifying and managing patients who should be classified as:

  • “at risk of an emergency hospital admission or deterioration in health” or
  • identify a specific population that health services may then prioritise.

The Purpose is to:

  • Reduce health inequalities and improve overall outcomes.
  • Help decide if a patient is at greater risk of suffering a particular condition
  • Prevent an emergency admission to hospital
  • Identify if a patient needs medical help to prevent a health condition from getting worse.
  • Help the ICB to commission appropriate preventative services and promote quality improvements in existing services.

Legal Basis

UKGDPR Article 6 1(e):  processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

UKGDPR Article 9 2(h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

A Section 251 approval (23/CAG/0127) from the Secretary of State, through the Confidentiality Advisory Group (CAG) of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

The CAG register can be found on the NHS Health Research Authority website.

There is no requirement for a legal basis for use of the aggregated information which is available to the ICB as this does not identify individuals.

Data Processing Activities

The ICB processes this data internally. Data is also processed by North of England Commissioning Support Unit (NECS) and Prescribing Services Ltd on behalf of the ICB.

If you wish to Opt out / object to your information being used in this way

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

If you do not wish your data to be included in the risk stratification service (even though it is in a format which does not directly identify you) you can choose to opt-out.

In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.

Instead, you can contact the ICB PALS Team at or contact your GP practice who will apply an opt-out code to your record to ensure that your information is not included in the Risk Stratification programme.

Changes to Data Controller Organisations for Risk Stratification

As of 1st July 2022, Clinical Commissioning Groups were replaced with Integrated Care Boards under the Health and Care Act 2022.  The Confidentiality Advisory Group (CAG) have confirmed that an administrative amendment was supported to allow the processing of patient confidential data in line with the new Act by the Integrated Care Boards and data processors on behalf of GPs.

From April 2024 NHS England will delegate 59 specialised commissioning services to ICBs (detailed below) within three NHSE regions. These services will be jointly delivered, for this year (April 24-April 25)

NHS England East of England region,

NHS England Midlands region,

NHS England North-West region,

The NHS England website has more information on how commissioning is changing, integrated care and their commissioning road map.

The ICB’s Medicines Optimisation Team, work with GP practices to provide advice on medicines/prescribing queries and review prescribing of medicines to ensure that it is safe. In some cases, to ensure clinical safety, this may require the use of personal data.

In cases where personal data needs to be processed, this is done with GP Practice agreement.  No data is processed from GP Practice clinical systems and no changes are made to patient’s records without permission from the GP.

Where specialist support is required, for example, to advise community pharmacists to order a drug that comes in solid, gas or liquid form; the ICB medicines optimisation pharmacists will provide advice on behalf of a GP to support your care. Personal data is used for this purpose.

Personal data is also used by our medicines optimisation team to review and authorise (if appropriate) requests for high-cost drugs which are not routinely funded.

Legal basis for processing Personal Data and Special Category of data under UK GDPR

Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.

Common Law Duty of Confidentiality basis – Implied Consent


To support the processing of data for a child or young person who has special education needs and disabilities. (SEND) The ICB is has a role in co-operating with councils and education with multiagency working The ICB has a Designated Clinical Officer (DCO) role which supports the Integrated Care Board (ICB) to meet our statutory responsibilities for children and young people with SEND. The DCO plays a key part in putting into action the SEND reforms, and in supporting joined up working between health services and local authorities.…

Legal Basis

UK GDPR, Article 6(1): (e) Public Task, processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

Article 9(2)(h) Health or social care (with a basis in law)

Children and Families Act 2014 and SEND Code of Practice 2014.
The Children and Families Act (2014) requires Integrated Care Boards and Local Authorities to work together with children and young people with SEND and their families, to ensure that appropriate services are available to meet their needs and enable them to live ordinary lives.

Processing Activities

The processing is a statutory duty for ICB’s and local authorities Information is collected by the County Councils to inform the overall SEND process. The ICB has a Designated Clinical Officer role which supports the Integrated Care Board (ICB) to meet our statutory responsibilities for children and young people with SEND. The DCO plays a key part in putting into action the SEND reforms and in supporting joined up working between health services and local authorities.

The ICB will have access to information to assist in the coproduction of Education Health Care Plans (EHCP) for a child or young person with SEND. Liaising with families and professionals to agree appropriate plans to support their needs.

Information will be both personal and special category information:

Local system ID
Sex/ gender
Age / Date of birth
Address/ postcode
Early Help and Social Care data (where it applies to or is part of the EHCP application, plan or review).

Children’s statutory education school or post-16 education destination information

Health (where it applies to or is part of the EHCP application, plan or review, NHS Number).

Disability status SEND data, including EHCP and Annual Review information and content, High Needs Funding banding information.

The ICB is required as part of SEND legislation to monitor quality and improvements within the multi-agency system for children and young people with SEND. This involves the Auditing of quality and improvement of Statutory health advice for EHCP needs assessments and reviews following any actions from Joint area SEND inspections.

The ICB have a duty to ensure CYP health needs are met as part of EHCP which requires joint quality review visits. The ICB will also act as mediator, where there is disagreement resolution and tribunal dispute. It can sit on panels relevant to support required for the child or young person, such as but not limited to, placement panels, exception funding panels, and tripartite funding panels. Local Authorities and NHS also contact the ICB for advice and support and escalate where necessary, Children & Young People with SEND under SEN needs but are not under an EHCP as well as those with medical needs moving around and in and out of our ICB area to and from others.

Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. The NHS is committed to keeping patient information safe and always being clear about how it is used.

How your data is used

Information about your individual care such as treatment and diagnoses is collected about you whenever you use health and care services. It is also used to help us and other organisations for research and planning such as research into new treatments, deciding where to put GP clinics and planning for the number of doctors and nurses in your local hospital. It is only used in this way when there is a clear legal basis to use the information to help improve health and care for you, your family and future generations.

Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.

You have a choice

You do not need to do anything if you are happy about how your information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your mind about your choice at any time.

Will choosing this opt-out affect your care and treatment?

No, choosing to opt out will not affect how information is used to support your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.

What do you need to do?

If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.
To find out more about the benefits of data sharing, how data is protected, or to make/change your opt-out choice visit

All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.

We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption and information is transferred safely and securely.

The ICB does not transfer personal confidential information overseas.

Under the Data Protection Act 2018, the ICB is required to register with the Information Commissioner’s Office detailing all purposes for which personal identifiable data is collected, held and processed.

The ICB has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

In Health and Care, all organisations apply retention schedules in accordance with the NHS Records Management Code of Practice 2021 which determines the length of time records should be kept.

We work with several other NHS and partner agencies to provide health and social care services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.

We contract with other organisations to provide a range of services to us such as IT services, Payroll and other support service. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law.

We ensure our external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Current external data processors:

Data Services for Commissioners Regional Offices (DSCRO) this is a regional secure service provided to the ICB by NHS Digital via North of England Commissioning Support Unit (NECSU).

Information may also be required to be shared for your benefit with other non-NHS organisations, from which you are also receiving care, such as social services and other providers from which we commission services. Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless it is to facilitate direct care or there are exceptional circumstances or a legal obligation such as;

  • There is a risk of harm to someone or the wider community
  • The prevention or detection of a serious crime
  • Where we are required to do so by law
  • Reporting some infectious diseases
  • Prevention and detection of fraud – National Fraud Initiative (NFI)

If we are obligated to release information as described above, this will usually only be done with the approval of our Caldicott Guardian.

The ICB is party to several information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation. These NHS and non-NHS organisations may include, but are not restricted to social services, education services, local authorities, police, and public health.

Under data protection law, you have rights including:

  • Your right of access – You have the right to ask us for copies of your personal information.
  • Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.
  • Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at: if you wish to make a request.

If you have any concerns about our use of your personal information, you can make a complaint to us at

Data Protection Officer (DPO)
Suffolk and North East Essex Integrated Care Board
Aspen House
Severalls Business Park
Stephenson Road
Or Email the DPO at:

If you are not happy with the response, you can also complain to the Information Commissioners Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane

Helpline number: 0303 123 1113
ICO website:

If our privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

Privacy Notice reviewed: March 2023

Information previously held by the CCGs

Information that has been held previously by Ipswich and East Suffolk, West Suffolk and North East Essex CCGs was transferred to NHS Suffolk and North East Integrated Care Board (ICB) on 1st July 2022.  The ICB will become the new data controller.  Any questions about the use of data (including patient data) by the ICB should be directed to

Page last modified: 20 May 2024
Next review due: 20 November 2024